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ABSTRACT 

The purpose of this guide is to help the policy maker 
address a series of questions regarding the protection and safety of 
computer systems and data processed within his/her agency. It 
introduces information systems security concerns, outlines the 
management issues that must be addressed by agency policies and 
programs, and describes the essential components of an effective 
implementation process. The guide is divided into four major 
sections: (1) Executive Responsibilities (set the security policy of 
the organization) ; (2) Executive Goals (reduce risk to an acceptable 
level, assure organizational continuity, comply with applicable laws 
and regulations, and assure integrity and confidentiality); (3) 
Information Protection Program Elements (need for policies and 
procedures, extension of protection from automated information 
resources to all forms of media, accountability for information, 
vulnerability assessment, data access, systems development, 
hardware/software configuration control, and operational controls); 
and (4) Information Protection Program Implementation (information 
protection management, independence of functional areas within the 
agency, degree of centralization, need for dedicated staff member at 
program management level, implementation stages, training, monitoring 
and enforcement, and maintenance) . Sources for additional information 
are also provided* (MAB) 



* Reproductions supplied by EDRS are the best that can be made 

* from the original document. 
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rhe National Institute of Standards and Technology 1 was established by an act of Congress on March 3, 
1901. The Institute's overall goal is to strengthen and advance the Nation's science and technology and 
facilitate their effective application for public benefit To this end, the Institute conducts research to assure interna- 
tional competitiveness and leadership of U.S. industry, science and technology. NIST work involves development 
and transfer of measurements, standards and related science and technology, in support of continually improving 
U.S. productivity, product quality and reliability, innovation and underlying science and engineering. The Institute's 
technical work is performed by the National Measurement Laboratory, the National Engineering Laboratory, the 
National Computer Systems Laboratory, and the Institute for Materials Science and Engineering. 

The National Measurement Laboratory 

Provides the national system of physical and chemical measurement; 
coordinates the system with measurement systems of other nations 
and furnishes essential services leading to accurate and uniform 
physical and chemical measurement throughout the Nation's scientific 
community, industry, and commerce; provides advisory and research 
services to other Government agencies; conducts physical and chemical 
research; develops, produces, and distributes Standard Reference 
Materials; provides calibration services; and manages the National 
Standard Reference Data System. The Laboratory consists of the 
fallowing centers: 

The National Engineering Laboratory 

Provides technology and technical services to the public and private 
sectors to address national needs and to solve national problems; 
conducts research in engineering and applied science in support of these 
efforts; builds and maintains competence in the necessary disciplines 
required to carry out this research and technical service; develops engi- 
neering data and measurement capabilities; provides engineering measure 
ment traceability services; develops test methods and proposes engi- 
neering standards and code changes; develops and proposes new 
engineering practices; and develops and improves mechanisms to 
transfer results of its research to the ultimate user. The Laboratory 
consists of the following centers: 

The National Computer Systems Laboratory 

Conducts research and provides scientific and technical services to aid 
Federal agencies in the selection, acquisition, application, and use of 
computer technology to improve effectiveness and economy in Govern- 
ment operations in accordance with Public Law 89-306 (40 U.S.C. 759), 
relevant Executive Orders, and other directives; carries out this mission 
by managing the Federal Information Processing Standards Program, 
developing Federal ADP standards guidelines, and managing Federal 
participation in ADP voluntary standardization activities; provides scien 
tific and technological advisory services and assistance to Federal 
agencies; and provides the technical foundation for computer-related 
policies of the Federal Government The Laboratory consists of the 
following divisions: 

The Institute for Materials Science and Engineering 

Conducts research and provides measurements, data* standards, refer- • Ceramics 

ence materials, quantitative understanding and other technical informa- • Fracture and Deformation 1 

tion fundamental to the processing, structure, properties and perfor- • Polymers 

mance of materials; addresses the scientific basis for new advanced • Metallurgy 

materials technologies; plans research around cross -cutting scientific • Reactor Radiation 

themes such as nondestructive evaluation and phase di igram develop- 
ment; oversees Institute-wide technical programs in nuJear reactor 
radiation research and nondestructive evaluation; and broadly dissem- 
inates generic technical information resulting from its programs. The 
Institute consists of the following divisions: 

^eadquartcw and Laboratories at Gaitherabur*, MD, unle** otherwise noted, mailing nMres* 
Oaitbmhciriu MO 20699. 

*Somc (ftv&ons within the center are located at Boulder, CO 80303. 
* Located at Boulder, CO, with #omc dementi at Gaithersburg, MD. 



• Basic Standards" 

• Radiation Research 

• Chemical Physics 

• Analytical Chemistry 



♦ Computing and Applied 
Mathematics 

♦ Electronics and Electrical 
Engineering 2 

• Manufacturing Engineering 

• Building Technology 

• Fire Research 

* Chemical Engineering 1 



• Information Systems 
Engineering 

• Systems and Software 
Technology 

• Computer Security 

• Systems and Network 
Architecture 

• Advanced Systems 



ERIC 



NIST Special Publication 500-169 



Executive Guide to the 
Protection of Information 
Resources 



Cheryl Helslng 
Daiottte, Hasklns & Sells 



Marianne Swanson 
Mary Anne Todd 

National Computer Systems Laboratory 
Nattocal Institute of Standards and Technology 
Gatthers buro, MD 20899 



October 1989 



U.S. DEPARTMENT OF COMMERCE 
Robert A. Mosbacher, Secretary 

NATIONAL INSTITUTE OF STANDARDS 
AND TECHNOLOGY 

Raymond Q. Kammer, Acting Director 




NIST 



ERIC 



4 



Reports on Computer Systems Technology 

The National Institute of Standards and Technology (NIST) (formerly the National Bureau of Standards) 
has a unique responsibility for computer systems technology within the Federal government. NIST's 
National Computer Systems Laboratory (NCSL) develops standards and guidelines, provides technical 
assistance, and conducts research for computers and related telecommunications systems to achieve 
more effective utilization of Federal information technology resources. NCSL's responsibilities Include 
development of technical, management, physical, and administrative standards and guidelines for the 
cost-effective security and privacy of sensitive unclassified information processed in Federal computers. 
NCSL assists agencies in developing security plans and In improving computer security awareness train- 
'ng. This Special Publication 500 series reports NCSL research and guidelines to Federal agencies as well 
as to organizations in industry, government, and academia. 



Library of Congress Catalog Card Number: 89-600762 
National Institute of Standards and Technology Special Publication 500-169 
Natl. Inst. Stand. Technol. Spec. Publ. 500-169, 20 pages (Oct. 1989) 

CODEN: NSPUE2 



U.S. GOVERNMENT PRINTING OFFICE 
WASHING VON: 1989 



For sale by the Superintendent of Documents, U.S. Government Printing Office, Washington, DC 20402 



The National Institute of Standards and Technology (NIST), is responsible for developing stand- 
ards, providing technical assistance, and conducting research for computers and related telecom- 
munications systems. These activities provide technical support to government and industry in the 
effective, safe, and economical use of computers. With the passage of the Computer Security Act 
of 1987 (P.L. 100-235), NISTs activities also include the development of standards and guidelines 
needed to assure the cost-effective security and privacy of sensitive information in Federal com- 
puter systems. This guide is just one of three brochures designed for a specific audience. The 
"Managers Guide to the Protection of Information Resources" and the "Computer User's Guide to 
the Protection of Information Resources" complete the series. 
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Introduction 



Federal agencies are becoming increasingly dependent upon 
automated information systems to carry out their missions. 
While in the past, executives have taken a hands-off approach 
in dealing with these resources, essentially leaving the area to 
the computer technologist, they are now recognizing that com- 
puters and computer-related problems must be understood 
and managed, the same as any other resource. 

The success of an information resources protection program 
depends on the policy generated, and on the attitude of 
management toward securing information on automated sys- 
tems. You, the policy maker, set the tone and the emphasis on 
how important a role information security will have within your 
agency. Your primary responsibility is to set the information 
resource security policy for the organization with the objectives 
of reduced risk, compliance with laws and regulations and as- 
surance of opcrptional continuity, information integrity, and 
confidentiali-.y. 



Purpose of this Guide This guide is designed to help you, the policy maker, address a 

host of questions regarding the protection and safety of com- 
puter systems and data processed within your agency. It intro- 
duces information systems security concerns, outlines the 
management issues that must be addressed by agency policies 
and programs, and describes essential components of an effec- 
tive implementation process. 



The Risks The proliferation of personal computers, local-area networks, 

and distributed processing has drastically changed the way we 
manage and control information resources. Internal controls 
and control points that were present in the past when we were 
deaMng with manual or batch processes have not always been 
replaced with comparable controls in many of today's 
automated systems. Reliance upon inadequately controlled in- 
formation systems can have serious consequences, including: 

• Inability or impairment of the agency's ability to perform its 
mission 
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Introduction 



Inability to provide needed services to tl -» public 

• Waste, loss, misuse, or misappropriation of funds 

• Loss of credibility or embarrassment to an agency 

To avoid these consequences, a broad set of information 
security issues must be addressed effectively and comprehen- 
sively. Towards this end, executives should take a traditional 
risk management approach, recognizing that risks are taken in 
the day-to-day management of an organization, and that there 
are alternatives to consider in managing these risks. Risk is ac- 
cepted as part of doing business or is reduced or eliminated by 
modifying operations o* by employing control mechanisms. 
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Executive Responsibilities 



Set the Security Policy of the Protecting information resources is an important goal for all or- 

Organization ganizations. This goal is met by establishing an information 

resource security program. It will require staff, funding and 
positive incentives to motivate employees to participate in a 
program to protect these valuable assets. 

This information resource protection policy should state 
precisely: 

• the value to the agency of data and information resources and 
the need to preserve their integrity, availability, and confiden- 
tiality 

• the intent of the organization to protect the resources from 
accidental or deliberate unauthorized disclosure, modifica- 
tion, or destruction by employing cost-effective controls 

• the assignment of responsibility for data security throughout 
the organization 

• the requirement to provide computer security and awareness 
training to all employees having access to information resour- 
ces 

• the intent to hold employees personally accountable for in- 
formation resources entrusted to them 

• the requirement to monitor and assess data security via inter- 
nal and external aucit procedures 

• the penalties for not adhering to the policy 
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Executive Goals 



The policy established for securing information resources 
should meet the basic goals of reducing the risk, complying 
with applicable laws and regulations, and assuring operational 
continuity, integrity and confidentiality. This section briefly 
describes these objectives and how they can be met. 



Reduce Risk To An Acceptable The dollars spent for security measures to control or contain 
Level losses should never be more than the projected dollar loss if 

something adverse happened to the information resource. 
Cost-effective security results when reduction in risk is 
balanced with the cost of implementing safeguards. The 
greater the value of information processed, or the more severe 
the consequences if something happens to it, the greater the 
need for control measures to protect it. It is important that 
these trade-offs of cost versus risk reduction be explicitly con- 
sidered, and that executives understand the degree of risk 
remaining after selected controls are implemented. 



Assure Operational Continuity With ever-increasing demands for timely information and 

greater volumes of information being processed, availability of 
essential systems, networks, and data is a major protection 
issue. In some cases, service disruptions of just a few hours are 
unacceptable. Agency reliance on essential computer systems 
requires that advance planning be done to allow timely restora- 
tion of processing capabilities in the event of severe service dis- 
ruption. The impact due to inability to process data should be 
assessed, and action taken to assure availability of those sys- 
tems considered essential to agency operation. 



As the pervasiveness of computer systems increases and the 
risks and vulnerabilities associated with information systems 
become better understood, the body of law and regulations 
compelling positive action to protect information resources 
grows. OMB Circular No. A-130, "Management of Federal In- 
formation Systems," and Public Law 100-235, "Computer 
Security Act of 1987" are two documents where the knowledge 
of these laws provide a baseline for an information resources 
security program. 



Comply with Applicable Laws 
and Regulations 
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Executive Goals 



Assure Integrity and An important objective of an information resource manage- 

Confidentiality ment program is to ensure that the information is accurate. In- 

tegrity of information means you can trust the data and the 
processes that manipulate it A system has integrity when it 
provides sufficient accuracy and completeness to meet the 
needs of the user(s). It should be properly designed to 
automate all functional requirements, include appropriate ac- 
counting and integrity controls, and accommodate the full 
range of potential conditions that might be encountered in its 
operation. 

Agency information should also be protected from intruders, as 
well as from employees with authorized computer access 
privileges who attempt to perform unauthorized actions. 

Assured confidentiality of sensitive data is often, but not al- 
ways, a requirement of agency systems. Privacy requiremen t 
for personal information are generally dictated by statute, 
while protection requirements for other agency information 
are a function of the nature of that information. Determina- 
tion of requirements in the latter case is made by the official 
responsible for that information. The impact of wrongful dis- 
closure should be considered in understanding confidentiality 
requirements. 
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Information Protection Program Elements 



Need for Policies and Successful execution of the responsibilities previously outlined 

Procedures requires establishing agency policies and practices regarding in- 

formation protection. The security policy directive facilitates 
consistent protection of information resources. Supporting pro- 
cedures are most effectively implemented with top manage- 
ment support, through a program focused on areas of highest 
risk. A compliance assessment process ensures ongoing effec- 
tiveness of the information protection program throughout the 
agency. 



Scope Although the protection of automated information resources is 

emphasized in this publication, protection requirements will 
usually extend to information on all forms of media. Agency 
programs should apply safeguards to all information requiring 
protection, regardless of its form or location. 

Comprehensive information resource protection procedures 
will address: accountability for information, vulnerability as- 
sessment, data access, hardware/software control, systems 
development, and operational controls. Protection should be 
afforded throughout the life cycle of information, from crea- 
tion through ultimate disposition. 



Accountability for Information An effective information resource protection program iden- 
tifies the information used by the agency and assigns primary 
responsibility for information protection to the managers of 
the respective functional areas supported by the data. These 
managers know the importance of the data to the organization 
and are able to quantify the economic consequences of un- 
desirable happenings. They are also able to detect deficiencies 
in data and know definitively who must have access to the data 
supporting their operations. A fundamental information protec- 
tion issue is assignment of accountability. Information flows 
throughout the organization and can be shared by many in- 
dividuals. This tends to blur accountability and disperse 
decision-making regarding information protection. Accoun- 
tability should be explicitly assigned for determining and 
monitoring security for appropriate agency information. 
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Inf ormation Protect ion Program Elements 



When security violations occur, maiiLgement must be account- 
able for responding and investigating. Security violations 
should trigger a re-evaluation of access authorizations, protec- 
tion decisions, and control techniques. All apparent violations 
should be resolved; since absolute protection will never be 
achieved, some loises are inevitable. It is important, however, 
that the degree of risk assumed be commensurate with the sen- 
sitivity or importance of the information resource to be 
protected. 



Vulnerability Assessment A risk assessment program ensures management that periodic 

reviews of information resources have considered the degree 
of vulnerability to threats causing destruction, modification, dis- 
closure, and delay of information availability, in making protec- 
tion decisions and investments in safeguards. 

The official responsible for a specific information resource 
determines protection requirements. Less-sensitive, less-essen- 
tial information will require minimal safeguards, while highly 
sensitive or critical information might merit strict protective 
measures. Assessment of vulnerability is essential in specifying 
cost-effective safeguards; overprotection can be needlessly cost- 
ly and add unacceptable operational overhead. 

Once cost-effective safeguards are selected, residual risk 
remains and is accepted by management. Risk status should be 
periodically re-examined to identify new threats, vul- 
nerabilities, or other changes that affect the degree of risk that 
management has pieviously accepted. 



Data Access Access to information should be delegated according to the 

principles of need-to-know and least possible privilege. For a 
multi-user application system, only individuals with authorized 
need to view or use data are granted access authority, and they 
are allowed only the minimum privileges needed to carry out 
their duties. For personal computers with one operator, data 
should be protected from unauthorized viewing or use. It is 
the individual's responsibility to ensure that the data is secure. 



It 
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Information Protection Program Elements 



Systems Development All information systems software should be developed in a con- 

trolled and systematic manner according to agency standards. 

gency policy should require that appropriate controls for ac- 
curacy, security, and availability are identified during system 
design, approved by the responsible official, and implemented. 
Users who design their own systems, whether on a personal 
computer or on a mainframe, must adhere to the systems 
development requirements. 

Systems should be thoroughly tested according to accepted 
standards and moved into a secure production environment 
through a controlled process. Adequate documentation should 
be considered an integral part of the information system and 
be completed before the system can be considered ready for 
use. 



Hardware/ 'Software Protection of hardware and resources of computer systems and 

Configuration Control networks greatly contributes to the overall level of control and 

protection of information. The information protection policies 
should provide substantial direction concerning the manage- 
ment and control of computer hardware and software. 

Agency information e \ou\d be protected from the potentially 
destructive impact of unauthorized hardware and software. 
For example, software "viruses" have been inserted into com- 
puters through games and apparently useful software acquired 
via public access bulletin boards; viruses can spread from sys- 
tem to system before being detected. Also, unauthorized 
hardware additions to personal computers can introduce un- 
known dial-in access paths. Accurate records of 
hardware/software inventory, configurations, and locations 
should be maintained, and control mechanisms should provide 
assurance that unauthorized changes have not occurred. 

To avcid legal liability, no unauthorized copying of software 
should be permitted. Agencies should also address the issue of 
personal use of Federal computer systems, giving employees 
specific direction about allowable use and providing consistent 
enforcement. 
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Information Protection Program Elements 



Operational Controls Agency standards should clearly communicate minimum ex- 

pected controls to be present in all computer facilities, com- 
puter operations, input/output handling, network management, 
technical support, and user liaison. More stiingent controls 
would apply to those areas that process very sensitive or critical 
information. 

Protection of these areas would include: 

• Security management; 

• Physical security; 

• Security of system/application software and data; 

• Network security; and 

• Contingency planning. 

The final section of this guide describes the organizational 
process of developing, implementing, and managing the ongo- 
ing information protection program. 
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Information Protection Program 

Impiementation 



In most cases, agency executive management is not directly in- 
volved in the details of achieving a controlled information 
processing environment. Instead, executive action should 
focus on effective planning, implementation, and an ongoing 
review structure. Usually, an explicit group or organization is 
assigned specific responsibility for providing day-to-day 
guidance and direction of this process. Within this group an in- 
formation security manager (ISM) should be identified as a per- 
manent focal point for information protection issues within the 
agency. 

The ISM must be thoroughly familiar with the agency mission, 
organization, and operation. The manager should have suffi- 
cient authority to influence the organization and have access to 
agency executives when issues require escalation. 

Independence In determining the reporting relationship of the ISM, inde- 

pendence of functional areas within the agency is desirable. 
Plans and budget for the ISM function should be approved by 
agency management, rather than being part of any functional 
area budget. This approach avoids conflicts of interest and 
facilitates development and maintenance of a comprehensive 
and consistent protection program that serves the needs of 
agency management. 

Degree of Centralization The desirability of centralized versus decentralized security is 

heavily debated and largely depends on size, organizational 
structure, and management approach at the individual agency. 
A centralized approach to security has the advantages of being 
directly responsive to executive direction and specifically ac- 
countable for progress and status. 

A decentralized approach to security has the advantages of 
being close to the functional area involved. In the long term, 
decentralization may provide better integration of security with 
other entity functions. 
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Information Protection 
Management 



Information Protection Program implementation 



An effective combined approach offers advantages. A small 
dedicated resource at the agency level can direct the informa- 
tion protection program, while additional resources are utilized 
at the functional area level to implement the program in each 
area. 

Dedicated Staff The common practice of assigning responsibility for informa- 

tion security to existing staff with other major responsibilities is 
often unsuccessful. At least one dedicated staff member is 
recommended at the program management level. 

The need for additional full-time resources depends on the 
agency's computer environment. The number of information 
systems, their technical complexity, the degree of networking, 
the importance of information processed, adequacy of existing 
controls, and extent of agency dependence on information sys- 
tems affect the resources needed. 



Implementation Stages Development of a comprehensive information protection 

program that is practiced and observed widely throughout a 
Federal agency occurs in stages and requires ongoing monitor- 
ing and maintenance to remain viable. 

First, organizational requirements for information protection 
are identified. Different agencies have varying levels of need 
for security, and the information protection program should be 
structured to most effectively meet those needs. 

Next, organizational policies are developed that provide a 
security architecture for agency operations, taking into con- 
sideration the information protection program elements dis- 
cussed in the previous seciion of this guide. The policies under- 
go normal review procedures, then are approved by agency 
management for implementation. 

Activities are then initiated to bring the agency into com- 
pliance with the policies. Depending on the degree of 
centralization, this might require development of further plans 
and budgets within functional entities of the agency to imple- 
ment the necessary logical and physical controls. 
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Training Training is a major activity in the implementation process. 

Security violations are the result of human action, and 
problems can usually be identified in their earliest stages by 
people. Developing and maintaining personnel awareness of 
information security issues can yield large benefits in preven- 
tion and early detection of problems and losses. 

Target audiences for this training are executives and policy 
makers, program and functional managers, IRM security and 
audit personnel, computer management and operations, and 
end users. Training can be delivered through existing policy 
and procedures manuals, written materials, presentations and 
classes, and audio-visual training programs. 

The training provided should create an awareness of risks and 
the importance of safeguards, underscoring the specific respon- 
sibilities of each of the individuals being trained. 

Monitoring and Enforcement An ongoing monitoring and enforcement program assures con- 
tinued effectiveness of information protection measures. 

Compliance may be measured in a number of ways, including 
audits, management reviews or self-assessments, surveys, and 
other informal indicators. A combination of monitoring 
mechanisms provides greater reliability of results. 

Variances from policy requirements should be accepted only in 
cases where the responsible official has evaluated, docu- 
mented, and accepted the risk of noncompliance. Enforce- 
ment of agency policies and practices is important to the over- 
all success of an information protection program. Inconsistent 
or lax enforcement quickly results in deterioration of internal 
controls over information resources. 

A positive benefit of an effective monitoring and enforcement 
process is an increased understanding of the degree of informa- 
tion-related risk in agency operations. Without such a feed- 
back process, management unknowingly accepts too much risk. 
An effective information protection program allows the agency 
to continue to rely upon and < ; pand the use of information 
technology while maintaining an acceptable level of risk. 
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Information Protection Program Implementation 



Maintenance Aj agency initiatives and operations change, and as the com- 

puter environment evolves, some elements of the information 
protection program will require change as well. Information 
protection cannot be viewed as a project with a distinct end; 
rather, it is a process that should be maintained to be realistic 
and useful to the agency. Procedures for review and update of 
policies and other program elements should be developed and 
followed. 
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For Additional Information 



National Institute Of Standards and Technology 
Computer Security Program Office 
A-216 Technology 
Gaithersburg, MD 20899 
(301) 975-5200 



For further information on the management of information resources, NIST publishes Federal In- 
formation Processing Standards Publications (FIBS PUBS). These publications deal with many 
aspects of computer security, including password usage, data encryption, ADP risk management 
and contingency planning, and computer system security certification and accreditation. A list of 
current publications is available from: 



Standards Processing Coordinator (ADP) 
National Computer Systems Laboratory 
National Institute of Standards and Technology 
Technology Building, B-64 
Gaithersburg, MD 20899 
Phone: (301) 975-2817 
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